If you were to skip briefly back to my first post I referred to a document by the European Network of Forensic Science Institutes. Whilst it's slightly dated, their best practice guide for forensic IT labs is still an excellent summary of requirements for a 'quality focussed' digital forensics lab. It doesn't tell you what tools to use, where to find the 'smoking gun' you've been looking for or how to image a hard drive but it does describe the processes you'll need to work these out for yourself and prove to another party that you've been thorough in your preparation, examination and reporting. In fact it does an excellent job of translating the internationally recognised standard for forensic labs ISO 17025 for our juvenile corner of forensic science (yes, we're not that different from the other forensic disciplines, see HogFly's blog).
But who uses it? Well without conducting a survey, I could only reason that the fact that the best practice guide follows so closely the international standard, anyone who follows this guide would have attained, or would be in the process of attaining the ISO 17025 certification. After all, why not pay the few extra pounds to get a certificate if you've done the hard work already? Well, for the UK it's just two organisations, in the whole country, who are accredited (do a search for 'forensic' and look for 'data capture'). One for just 'Mobile Phone Handsets and SIM cards' and the other also including 'Computers and Computer Media' and whilst I know that a few labs have the generic quality certification (ISO 9001) and fewer still also have the Information Security certification (ISO 27001), they both seem to skirt around the issue of standards in digital forensic labs. Even ISO 17025, a standard for calibration and testing labs, but regularly used in traditional forensics, requires skillful use of the shoehorn to make it fit. Which brings me back to the ENFSI best practice guide as an example of such a shoehorn that seems to look quite usable.
Unfortunately for the UK/ European digital forensic community, ENFSI membership is normally restricted so that wider participation in developing and promoting these standards
would be limited through this organisation. The American Society of Crime Laboratory Directors / Laboratory Accreditation Bord (ASCLD/LAB) isn't so restrictive and has a scheme whereby a lab can be accredited to a standard that includes ISO 17025 and is 'enhanced' for our specialism.
Is this the way forward then? Have I found the lab standard I've been looking for? Maybe not, but it's the best I'm aware of so I think I'll give it a shot.
3rd edition of Ross Anderson’s Security Engineering now freely available
for download
-
Ross Anderson had agreed with his publisher, Wiley, that he would be able
to make all chapters of the 3rd edition of his book Security Engineering
availabl...
2 days ago
1 comment:
new link to the document
http://www.enfsi.eu/uploads/files/ENFSI_Forensic_IT_Best_Practice_GUIDE_5%5B1%5D.0.pdf
Post a Comment